GHSA-gx8x-g87m-h5q6: 
Ruby vulnerability analysis and mitigation

The vulnerability (GHSA-gx8x-g87m-h5q6) affects Nokogiri versions below 1.13.4, specifically in its JRuby implementation. The issue stems from the vendored org.cyberneko.html library, which was discovered to have a Denial of Service vulnerability. This security flaw was assigned a High severity rating with a CVSS score of 7.5 (GitHub Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). When parsing ill-formed HTML markup, the fork of org.cyberneko.html used by Nokogiri raises a java.lang.OutOfMemoryError exception. The issue specifically affects the JRuby implementation of Nokogiri and was tracked as CVE-2022-24839 (NIST NVD, GitHub Advisory).

The vulnerability can lead to a Denial of Service condition through uncontrolled resource consumption. When exploited, it can cause the application to run out of memory when processing specially crafted HTML input, potentially affecting the availability of the service (GitHub Advisory).

The recommended mitigation is to upgrade to Nokogiri version 1.13.4 or later. This version updates the vendored org.cyberneko.html library to version 1.9.22.noko2, which includes the security fix. The fix involves proper handling of ill-formed Processing Instructions (PIs) in the HTML parser (Nokogiri Release).

The vulnerability was reported by 이형관 (windshock) and was addressed promptly by the Nokogiri team. The fix was announced through the Ruby Security Announcements mailing list, indicating the security community's coordinated response to the issue (Ruby Security).